Comment: A few commenters asked that the concept of "use" be modified to allow uses within an integrated healthcare delivery system. Commenters argued that the rule needs to ensure that the full spectrum of treatment is protected from the need for authorizations at the points where treatment overlaps entities. It was explained that, for example, treatment for a patient often includes services provided by various entities, such as by a clinic and hospital, or that treatment may also necessitate referrals from one provider entity to another unrelated entity. Further, the commenter argued that the rule needs to ensure that the necessary payment and health care operations can be carried out across entities without authorizations.

Response: The Department understands that in today's health care industry, the organization of and relationships among health care entities are highly complex and varied. We modify the proposed rule significantly to allow affiliated entities to designate themselves as a single covered entity. A complex organization, depending on how it self-designates, may have one or several "health care component(s)" that are each a covered entity. Aggregation into a single covered entity will allow the entities to use a single notice of information practices and will allow providers that must obtain consent for uses and disclosures for treatment, payment, and operations to obtain a single consent.

We do not allow this type of aggregation for unrelated entities, as suggested by some commenters, because unrelated entities' information practices will be too disparate to be accurately reflected on a single consent or notice form. Our policies on when consent and authorization are required for sharing information among unrelated entities, and the rationale for these policies, is described in §§ 164.506 and 164.508 and corresponding preamble.

As discussed above, in the final rule we have added a definition of organized health care arrangement and permit covered entities participating in such arrangements to disclose protected health information to support the health care operations of the arrangement. See the preamble discussion of the definitions of organized health care arrangement and health care operations, § 164.501.

Comment: Some commenters expressed concern that the requirement to obtain authorization for the disclosure of information to a non-health related division of the covered entity would impede covered entities' ability to engage in otherwise-permissible activities such as health care operations. Some of these commenters requested clarification that covered entities are only required to obtain authorization for disclosures to non-health related divisions if the disclosure is for marketing purposes.

Response: In the final rule, we remove the example of use and disclosure to non-health related divisions of the covered entity from the list of examples of uses and disclosures requiring authorization in § 164.508. We determined that the example could lead covered entities to the mistaken conclusion that some uses or disclosures that would otherwise be permitted under the rule without authorization would require authorization when made to a non-health related division of the covered entity. In the final rule, we clarify that disclosure to a non-health related division does not require authorization if the use or disclosure is otherwise permitted or required under the rule. For example, in § 164.501 we define health care operations to include conducting or arranging for legal and auditing services. A covered entity that is the health care component of a larger entity is permitted under the final rule to include the legal department of the larger entity as part of the health care component. The covered entity may not, however, generally permit the disclosure of protected health information from the health care component to non-health related divisions unless they support the functions of the health care component and there are policies and procedures in place to restrict the further use to the support of the health related functions.

Comment: Many commenters, especially those who employed providers, supported our position in the proposed rule to consider only the health care component of an entity to be the covered entity. They stated that this was a balanced approach that would allow them to continue conducting business. Some commenters felt that there was ambiguity in the regulation text of the proposed rule and requested that the final rule explicitly clarify that only the health care component is considered the covered entity, not the entity itself. Similarly, another commenter requested that we clarify that having a health care component alone did not make the larger entity a covered entity under the rule.

Response: We appreciate the support of the commenters on the health care component approach and we agree that there was some ambiguity in the proposed rule. The final rule creates a new § 164.504(b) for health care components. Under § 164.504(b), for a covered entity that is a single legal entity which predominantly performs functions other than the functions performed by a health plan, provider, or clearinghouse, the privacy rules apply only to the entity's health care component. A policy, plan, or program that is an "excepted benefit" under section 2791(c)(1) of HIPAA cannot be part of a health care component because it is expressly excluded from the definition of "health plan" for the reasons discussed above. The health care component is prohibited from sharing protected health information outside of the component, except as otherwise permitted or required by the regulation.

At a minimum, the health care component includes the organizational units of the covered entity that operate as or perform the functions of the health plan, health care provider, or clearinghouse and does not include any unit or function of the excepted benefits plan, policy, or program. While the covered entity remains responsible for compliance with this rule because it is responsible for the actions of its workforce, we otherwise limit the responsibility to comply to the health care component of the covered entity. The requirements of this rule apply only to the uses and disclosures of the protected health information by the component entity. See § 164.504(b).

Comment: Some commenters stated that the requirement to erect firewalls between different components would unnecessarily delay treatment, payment, and health care operations and thereby increase costs. Other commenters stressed that it is necessary to create firewalls between the health care component and the larger entity to prevent unauthorized disclosures of protected health information.

Response: We believe that the requirement to implement firewalls or safeguards is necessary to provide meaningful privacy protections, particularly because the health care component is part of a larger legal organization that performs functions other than those covered under this rule. Without the safeguard requirement we cannot ensure that the component will not share protected health information with the larger entity. While we do not specifically identify the safeguards that are required, the covered entity must implement policies and procedures to ensure that: the health care component's use and disclose of protected health information complies with the regulation; members of the health care component who perform duties for the larger entity do not use and disclose protected health information obtained through the health care component while performing non-component functions unless otherwise permitted or required by the regulation; and when a covered entity conducts multiple functions regulated under this rule, the health care component adheres to the appropriate requirements (e.g. when acting as a health plan, adheres to the health plan requirements) and uses or discloses protected health information of individuals who receive limited functions from the component only for the appropriate functions. See §§ 164.504(c)(2) and 164.504(g). For example, a covered entity that includes both a hospital and a health plan may not use protected health information obtained from an individual's hospitalization for the health plan, unless the individual is also enrolled in the health plan. We note that covered entities are permitted to make a disclosure to a health care provider for treatment of an individual without restrictions.

Comment: One commenter stated that multiple health care components of a single organization should be able to be treated as a single component entity for the purposes of this rule. Under this approach, they argued, one set of policies and procedures would govern the entire component and protected health information could be shared among components without authorization. Similarly, other commenters stated that corporate subsidiaries and affiliated entities should not be treated as separate covered entities.

Response: We agree that some efficiencies may result from designating multiple component entities as a single covered entity. In the final rule we allow legally distinct covered entities that share common ownership or control to designate themselves or their health care components as a single covered entity. See § 164.504(d). Common ownership is defined as an ownership or equity interest of five percent or more. Common control exists if an entity has the power - directly or indirectly - to significantly influence or direct the actions or policies of another entity. If the affiliated entity contains health care components, it must implement safeguards to prevent the larger entity from using protected health information maintained by the component entity. As stated above, organizations that perform multiple functions may designate a single component entity as long as it does not include the functions of an excepted benefit plan that is not covered under the rule. In addition, it must adhere to the appropriate requirements when performing its functions (e.g. when acting as a health plan, adhere to the health plan requirements) and uses or discloses protected health information of individuals who receive limited functions from the component only for the appropriate functions. At the same time, a component that is outside of the health care component may perform activities that otherwise are not permitted by a covered entity, as long as it does not use or disclose protected health information created or received by or on behalf of the health care component in ways that violate this rule.

Comment: Some commenters asked whether or not workers' compensation carriers could be a part of the health care component as described in the proposed rule. They argued that this would allow for sharing of information between the group health plan and workers' compensation insurers.

Response: Under HIPAA, workers' compensation is an excepted benefit program and is excluded from the definition of "health plan." As such, a component of a covered entity that provides such excepted benefits may not be part of a health care component that performs the functions of a health plan. If workforce members of the larger entity perform functions for both the health care component and the non-covered component, they may not use protected health information created or received by or on behalf of the health care component for the purposes of the non-covered component, unless otherwise permitted by the rule. For example, information may be shared between the components for coordination of benefits purposes.

Comment: Several commenters requested specific guidance on identifying the health care component entity. They argued that we underestimated the difficulty in determining the component and that many organizations have multiple functions with the same people performing duties for both the component and the larger entity.

Response: With the diversity of organizational structures, it is impossible to provide a single specific guidance for identifying health care components that will meet the needs of all organizations. Covered entities must designate their health care components consistent with the definition at § 164.504(a). We have tried to frame this definition to delineate what comes within a health care component and what falls outside the component.

Comment: A commenter representing a government agency recommended that only the component of the agency that runs the program be considered a covered entity, not the agency itself. In addition, this commenter stated that often subsets of other government agencies work in partnership with the agency that runs the program to provide certain services. For example, one state agency may provide maternity support services to the Medicaid program which is run by a separate agency. The commenter read the rule to mean that the agency providing the maternity support services would be a business associate of the Medicaid agency, but was unclear as to whether it would also constitute a health care component within its own agency.

Response: We generally agree. We expect that in most cases, government agencies that run health plans or provide health care services would typically meet the definition of a "hybrid entity" under § 164.504(a), so that such an agency would be required to designate the health care component or components that run the program or programs in question under § 164.504(c)(3), and the rules would not apply to the remainder of the agency's operations, under § 164.504(b). In addition, we have created an exception to the business associate contract requirement for government agencies who perform functions on behalf of other government agencies. Government agencies can enter into a memorandum of understanding with another government entity or adopt a regulation that applies to the other government entity in lieu of a business associate contract, as long as the memorandum or regulation contains certain terms. See § 164.504(e).

Comment: One commenter representing an insurance company stated that different product lines should be treated separately under the rule. For example, the commenter argued, because an insurance company offers both life insurance and health insurance, it does not mean that the insurance company itself is a covered entity, rather only the health insurance component is a covered entity. Another commenter requested clarification of the use of the term "product line" in the proposed rule. This commenter stated that product line should differentiate between different lines of coverage such as life vs. health insurance, not different variations of the same coverage, such as HMO vs. PPO. Finally, one commenter stated that any distinction among product lines is unworkable because insurance companies need to share information across product lines for coordinating benefits. This sharing of information, the commenter urged, should be able to take place whether or not all product lines are covered under the rule.

Response: We agree that many forms of insurance do not and should not come within the definition of "health plan," and we have excepted them from the definition of this term in § 160.103 applies. This point is more fully discussed in connection with that definition. Although we do not agree that the covered entity is only the specific product line, as this comment suggests, the hybrid entity rules in § 164.504 address the substance of this concern. Under § 164.504(c)(3), an entity may create a health plan component which would include all its health insurance lines of business or separate health care components for each health plan product line. Finally, the sharing of protected health information across lines of business is allowed if it meets the permissive or required disclosures under the rule. The commenter's example of coordination of benefits would be allowed under the rule as payment.

Comment: Several commenters representing occupational health care providers supported our use of the component approach to prohibit unauthorized disclosures of protected health information. They requested that the regulation specifically authorize them to deny requests for disclosures outside of the component entity when the disclosure was not otherwise permitted or required by the regulation.

Response: We appreciate the commenters' support of the health care component approach. As members of a health care component, occupational health providers are prohibited from sharing protected health information with the larger entity (i.e., the employer), unless otherwise permitted or required by the regulation.

Comment: One commenter asked how the regulation affects employers who carry out research. The commenter questioned whether the employees carrying out the research would be component entities under the rule.

Response: If the employer is gathering its own information rather than obtaining it from an entity regulated by this rule, the information does not constitute protected health information since the employer is not a covered entity. If the employer is obtaining protected health information from a covered entity, the disclosure by the covered entity must meet the requirements of § 164.512(i) regarding disclosures for research.

Comment: One commenter stated that the proposed rule did not clearly articulate whether employees who are health care providers are considered covered entities when they collect and use individually identifiable health information acting on behalf of an employer. Examples provided include, administering mandatory drug testing, making fitness-for-duty and return-to-work determinations, testing for exposure to environmental hazards, and making short and long term disability determinations. This commenter argued that if disclosing information gained through these activities requires authorization, many of the activities are meaningless. For example, an employee who fails a drug test is unlikely to give authorization to the provider to share the information with the employer.

Response: Health care providers are covered entities under this rule if they conduct standard transactions. A health care provider who is an employee and is administering drug testing on behalf of the employer, but does not conduct standard transactions, is not a covered entity. If the health care provider is a covered entity, then we require authorization for the provider to disclose protected health information to an employer. Nothing in this rule, however, prohibits the employer from conditioning an individual's employment on agreeing to the drug testing and requiring the individual to sign an authorization allowing his or her drug test results to be disclosed to the employer.

Comment: One commenter stated its belief that only a health center at an academic institution would be a covered entity under the component approach. This commenter believed it was less clear whether or not other components that may create protected health information "incidentally" through conducting research would also become covered entities.

Response: While a covered entity must designate as a health care component the functions that make it a health care provider, the covered entity remains responsible for the actions of its workforce. Components that create protected health information through research would be covered entities to the extent they performed one of the required transactions described in § 164.500; however, it is possible that the research program would not be part of the health care component, depending on whether the research program performed or supported covered functions.

Comment: Several commenters stated that employers need access to protected health information in order to provide employee assistance programs, wellness programs, and on-site medical testing to their employees.

Response: This rule does not affect disclosure of health information by employees to the employer if the information is not obtained from a covered entity. The employer's access to information from an EAP, wellness program, or on-site medical clinic will depend on whether the program or clinic is a covered entity.

Comment: One commenter stated that access to workplace medical records by the occupational medical physicians is fundamental to workplace and community health and safety. Access is necessary whether it is a single location or multiple sites of the same company, such as production facilities of a national company located throughout the country.

Response: Health information collected by the employer directly from providers who are not covered entities is outside the scope of this regulation. We note that the disclosures which this comment concerns should be covered by § 164.512(b).

Survey Disclaimer

According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid OMB control number. The valid OMB control number for this information collection is 0990-0379. The time required to complete this information collection is estimated to average 5 minutes per response, including the time to review instructions, search existing data resources, gather the data needed, and complete and review the information collection. If you have comments concerning the accuracy of the time estimate(s) or suggestions for improving this form, please write to: U.S. Department of Health & Human Services, OS/OCIO/PRA, 200 Independence Ave., S.W., Suite 336-E, Washington D.C. 20201, Attention: PRA Reports Clearance Officer.